Lawmakers on the House Homeland Security Committee questioned Microsoft President Brad Smith on June 13 over security “shortfalls” that allowed China-linked hackers to breach the software company’s systems last year.
The incident, which Microsoft attributed to the China-based hacking group Storm-0558, compromised the emails of more than 500 people, including the secretary of commerce.
In addition to stealing 60,000 U.S. State Department emails, the group obtained a list of all State Department email addresses and officials’ travel itineraries ahead of Secretary of State Antony Blinken’s June 2023 trip to Beijing.
Mr. Smith did not refute that conclusion as he testified before the Homeland Security panel.
“We accept responsibility for each and every finding in the CSRB report,” he said in his opening remarks.
The board partly attributed the success of the hack to Microsoft’s decision to delay the retirement of authentication keys in 2021. If the company had gone forward with that plan, the hackers’ forged keys would have been useless.
Rep. Marjorie Taylor Greene (R-Ga.) said she appreciated Microsoft’s acceptance of responsibility for its failures, noting, “We don’t hear that very often here.”
Others on the committee were less impressed.
Rep. Lou Correa (D-Calif.) said he was “beyond shocked” to read about the security failures at Microsoft as it’s a key vendor for U.S. defense and intelligence agencies.
“You have our trust, our business, both at the public and the private sector. And to hear about what’s going on here is very disturbing at best,” Mr. Correa said.
“We often say here that the chain is only as strong as its weakest link. Are you going to strengthen up? Are you going to do a better job over there?”
Mr. Smith replied, “Absolutely.”
In another exchange, Rep. Carlos Gimenez (R-Fla.) hammered the executive over Microsoft’s choice to do business in China.
Citing a Chinese law that requires all organizations operating in China to cooperate with the country’s intelligence agencies, Mr. Gimenez asked if Microsoft complies with that law.
“No, we do not,” Mr. Smith replied. He explained that Microsoft had made it clear to the Chinese regime that it would not acquiesce to certain requests, and that there was “no point in arresting” employees who were just following company orders.
Mr. Gimenez expressed doubt that the Chinese regime would honor Microsoft’s wishes. He also questioned whether it was worth it for the software giant to do business in China knowing the safety and security risks involved.
“I do think that there’s two valuable reasons for us to be in China, and I think that they both serve the interest of the United States,” Mr. Smith said. “The first is to protect American information, American trade secrets of American companies who are doing business in China. And the second is to ensure that we’re always learning from what’s going on in the rest of the world.”
The hearing comes amid Microsoft’s rollout of Recall, a new Windows feature that takes continuous screenshots of users’ activity to create a retrievable timeline of information. The feature, only available on Microsoft’ s new Copilot+ line of PCs, is set to go live in preview mode on June 18, but security experts have voiced privacy and data safety concerns.
Microsoft has nonetheless said that it is working on improving and enforcing its security processes in the wake of the 2023 breach.
Last November, the company launched a new cybersecurity initiative to prepare for “the increasing scale and high stakes of cyberattacks.” In May, Microsoft announced it would expand that initiative in light of the CSRB’s report.
“Microsoft plays a central role in the world’s digital ecosystem, and this comes with a critical responsibility to earn and maintain trust. We must and will do more,” the company said in a statement, promising to make security its “top priority.”
